5.5.4 Module Quiz - ACL Configuration Answers for IPv4
1. The computers used by a school's network administrators are on the 10.7.0.0/27 network. What are the two minimum commands required to apply an ACL that ensures that only devices used by network administrators have telnet access to routers? (Choose two.)
- 5 inch access class
- VTY Default Access List
Permission 10.7.0.0 0.0.0.127
- Access List 5 Permission 10.7.0.0 0.0.0.31
- IP access group 5 in
- IP access group 5 disabled
- access list 5 deny all
Explanation:Named and numbered access lists can be used on vty lines to control remote access. The first ACL commandAccess List 5 Permission 10.7.0.0 0.0.0.31, allows traffic originating from any device on the 10.7.0.0/27 network. The second ACL command,5 inch access class, applies the access list to a vty line.
2. View the configured access list.
R1# show access-listsextended IP access list 100deny tcp host 10.1.1.2 host 10.1.1.1 eq telnetdeny tcp host 10.1.2.2 host 10.1.2.1 eq telnetpermit ip any any (15 Treffer)
What are two characteristics of this access list? (Choose two.)
- Only device 10.1.1.2 can telnet to the router that was assigned the IP address 10.1.1.1.
- Device 10.1.2.1 should not telnet to device 10.1.2.2.
- Any device can telnet to device 10.1.2.1.
- A network administrator would not be able to determine whether or not the access list has been applied to an interface.
- Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router assigned the 10.1.1.1 IP address.
- The access list has been applied to an interface.
Explanation:The access list stops telnet traffic from device 10.1.1.2 to device 10.1.1.1. It also stops telnet traffic from devices 10.1.2.2 to 10.1.2.1. All other TCP/IP-based transfers are allowed. The access list works because there were 15 matches in the last ACE.
3. Which command checks the number of packets allowed or denied by an ACL that restricts SSH access?
- Show a brief description of the IP interface
- mostrar ip ssh
- show running configuration
- See access lists
Explanation:OSee access listsThe command displays each line of an access list and the number of times each statement was matched. EITHERshow running configurationThe command displays the instructions as configured, but does not provide any information about the matches. EITHERmostrar ip sshThe command provides general information about the SSH configuration.
4. Which access list policy allows HTTP traffic originating from host 10.1.129.100, port 4300 and destined for host 192.168.30.10?
- access list 101 allow tcp any eq 4300
- Access list 101 Permission TCP 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255
- Access list 101 Permission TCP 10.1.129.0 0.0.0.255 eq www 192.168.30.10 0.0.0.0 eq www
- Access List 101 Permission TCP 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www
- access list 101 allow host tcp 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300
Explanation:The HTTP protocol uses port 80 and is indicated in an ACL with the parameter "eq 80" or with "eq www". The first IP address listed in an ACL is the source address along with the appropriate wildcard mask. With a source IP address of 10.1.128.0 and a wildcard mask of 0.0.1.255, IP addresses from 10.1.128.0 to 10.1.129.255 are allowed.
5. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic destined for the router itself?
- The ACL must be applied to each vty line individually.
- The ACL is applied to the telnet port using the ip access-group command.
- The ACL must be applied to all incoming vty lines to prevent an unwanted user from connecting to an unsecured port.
- Apply ACL to vty-ilines without requiring the ingress or egress option when applying ACLS to interfaces.
Explanation:Since someone outside of the router is trying to use a protocol like Telnet or SSH to gain access to the router, the ACL address must enter the router through the vty lines.
6. Which packages would match the access control list declaration shown below?
access list 110 allow tcp 172.16.0.0 0.0.0.255 any eq 22
- any TCP traffic from the 172.16.0.0 network to any destination network
- SSH traffic from the 172.16.0.0 network to any destination network
- SSH traffic from any source network to the 172.16.0.0 network
- any TCP traffic from any host to the 172.16.0.0 network
Explanation:the declarationaccess list 110 allow tcp 172.16.0.0 0.0.0.255 any eq 22, corresponds to the traffic on port 22, which is SSH, originating from the 172.16.0.0/24 network to any destination.
7. Consider the access list command applied externally to a serial port on the router.
access list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply
What is the effect of applying this access list command?
- Users on the 192.168.10.0/24 network cannot relay traffic to other destinations.
- The only traffic that is rejected is ICMP-based traffic. Any other traffic is allowed.
- The only traffic that will be dropped is echo replies coming from the 192.168.10.0/24 network. Any other traffic is allowed.
- Outgoing data traffic is not allowed on the serial interface.
Explanation:At the end of each extended access list is an implicit IP deny policy, so no traffic can be sent out the serial port.
8. Consider the following output for an ACL applied to a router using the access-class command. What can a network administrator determine from the displayed output?
R1# <skipped output>default IP access list 210 allow 192.168.10.0, wildcard bits 0.0.0.255 (2 matches) 20 deny all (1 match)
- Traffic from a device could not enter one port on the router and be routed on another port on the router.
- Two devices can access the router via SSH or Telnet.
- Two devices connected to the router have the IP addresses 192.168.10.x.
- Traffic from two devices was allowed to enter one port on the router and exit to another port on the router.
Explanation:Oaccess classThe command is only used on VTY ports. The VTY ports support Telnet and/or SSH traffic. The Match Allowed ACE indicates how many attempts were allowed using the VTY ports. The Deny Match ACE shows that a device on a network other than 192.168.10.0 was unable to reach the router through the VTY ports.
9. What are the two commands that configure a default ACL? (Choose two.)
- Router(config)# access-list 45 permite 192.168.200.4 host
- router(config)# access list 10 permissions 10.20.5.0 0.255.255.255 any
- Router(config)# access-list 20 allow host 192.168.5.5 any any
- Router(config)# access-list 35 permite host 172.31.22.7
- enrutador (config) # access list 90 permission 192.168.10.5 0.0.0.0
Explanation:Standard access lists have the syntax ofaccess listand a number between 1 and 99, followed byto allowodenykeyword and source IP address (including a wildcard mask).
10. What incoming ICMP message should be allowed on an external interface to facilitate troubleshooting?
- Reply with timestamp
- timestamp request
- echo request
- echo response
- router advertisement
Explanation:By allowing the ICMP echo reply message to enter the organization, internal users can ping external addresses (and the reply message can be returned).
11. Which two ACEs can be used to deny IP traffic from a single source host 10.1.1.1 to the 192.168.0.0/16 network? (Choose two.)
- Access List 100 Deny IP 192.168.0.0 0.0.255.255 10.1.1.1 0.0.0.0
- Access list 100 deny IP 192.168.0.0 0.0.255.255 host 10.1.1.1
- Access list 100 deny IP host 10.1.1.1 192.168.0.0 0.0.255.255
- Access List 100 Deny IP 192.168.0.0 0.0.255.255 10.1.1.1 255.255.255.255
- Access List 100 Deny IP 10.1.1.1 255.255.255.255 192.168.0.0 0.0.255.255
- Deny access list 100 IP 10.1.1.1 0.0.0.0 192.168.0.0 0.0.255.255
Explanation:There are two ways to identify a single host in an access list entry. One is to use the host keyword with the host's IP address, the other is to use a wildcard mask of 0.0.0.0 with the host's IP address. The source of traffic to be examined by the access list is first in the syntax and the destination is last.
12. An administrator has configured an access list on R1 to allow SSH administrative access from host 172.16.1.100. Which command applies the ACL correctly?
- R1 (config line) # access class 1 in
- R1 (configuration line) # class 1 access disabled
- R1 (config-if) # IP access group 1 disabled
- R1 (config-if) # IP access group 1 in
Explanation:Administrative access via SSH to the router is done through the vty lines. Therefore, the ACL must be applied to these lines in the input address. This is done by entering line configuration mode and issuing theaccess classDomain.
13. What are two keywords that can be used in an access control list to replace a wildcard mask or a wildcard mask-address pair? (Choose two.)
Explanation:OhostThe keyword is used when a specific device IP address is used in an ACL. For example, himDeny host 192.168.5.5the command is the samedeny 192.168.5.5 0.0.0.0Domain. OanyThe keyword is used to allow any skin that meets the criteria. For example, himallow anythe command is the samePermission 0.0.0.0 255.255.255.255Domain.
14. What are the two packet filters that a network administrator can use for an extended IPv4 ACL? (Choose two.)
- computer type
- destination MAC address
- Destination UDP port number
- ICMP message type
Explanation:Extended access lists typically filter by source and destination IPv4 addresses and TCP or UDP port numbers. Additional filtering can be provided for record types.
15. The second ACE shown in the following example incorrectly specified port 400 instead of port 443. What is the best way to correct this error?
R1# show access listsExtended IP access list SURFING 10 allowed TCP 192.168.10.0 0.0.0.255 any eqwww 20 allowed tcp 192.168.10.0 0.0.0.255 any eq400R1#
- Copy the ACL into a text editor, correct the ACE, and copy the ACE back to the router.
- Create a new named ACL and apply it to the router interface.
- Enter allow tcp 192.168.10.0 0.0.0.255 any eq 443.
- Enter keyword #20 and then enter permission tcp 192.168.10.0 0.0.0.255 any eq 443.
- Delete the entire ACL and recreate it with the correct ACE.
Explanation:You can use the...IP access listCommand to edit an existing named or numbered ACL. ACL ACEs can be removed withNOcommand followed by the sequence number.
16. A network administrator must configure a default ACL so that only the administrator's workstation with IP address 10.1.1.10 can access the virtual terminal on the main router. What are the two configuration commands that can accomplish the task? (Choose two.)
- R1(config)# access list 10 allowed host 10.1.1.10
- R1(config)# access list 10 permission 10.1.1.10 255.255.255.0
- R1(config)# access list 10 permission 10.1.1.10 255.255.255.255
- R1(config)# access list 10 permission 10.1.1.10 0.0.0.0
- R1(config)# access list 10 permission 10.1.1.10 0.0.0.255
Explanation:To allow or deny a specific IPv4 address, use the wildcard mask0.0.0.0(used after the IP address) or wildcard mask keywordhost(used before IP address) can be used.
17. A network administrator writes a standard ACL to deny all traffic on the 10.10.0.0/16 network, but allows all other traffic. What two commands should be used? (Choose two.)
- R1(config)# access list 55 deny all
- R1(config)# access-list 55 permite qualquer
- R1 (config) # access list 55 host 10.10.0.0
- R1(config) # deny access list 55 10.10.0.0 0.0.255.255
- R1(config) # deny access list 55 10.10.0.0 255.255.0.0
- R1(config)# access list 55 10.10.0.0 255.255.255.255
Explanation:To deny traffic from the 10.10.0.0/16 network, thedeny access list 55 10.10.0.0 0.0.255.255command is used. To allow all other traffic, theaccess list 55 allows anyadded statement.
18. In the following example, you forgot to enter an ACE to reject the user with IP address 192.168.10.10. What command would the ACE correctly enter to filter this address?
R1# Show access-listsPermit-Net extended IP access-list 10 Permiso de IP 192.168.10.0 0.0.0.255 any 20 Permiso de IP 192.168.11.0 0.0.0.255 anyR1#
- Negar host IP 192.168.10.10
- 5 Negar host IP 192.168.10.10
- 15 Negar host IP 192.168.10.10
- 25 Negar host IP 192.168.10.10
Explanation:The host must be filtered out first, so adding the string 5 to the beginning of the ACE would insert it before the 192.168.10.0/24 network is allowed.
19. You create a default ACL called PERMIT-VTY to allow only one vty administrative host to access the router. What line configuration command would correctly apply this ACL to the vty lines?
- Access the PERMIT-VTY class in
- PERMIT-VTY outside access class
- PERMIT-VTY IP access group in
- PERMIT-VTY IP access group disabled
Explanation:Oaccess group ACL-Name emThe line configuration mode command correctly applies a default ACL to vty interfaces.
20. What is the impact of the extended tcp 10.10.100 0.0.0.255 any eq www permission with the ACE name if it is implemented deeper into a G0/0 interface?
- All TCP traffic is allowed and all other traffic is denied.
- All traffic from 10.10.100/24 is allowed on any port.
- The router rejects the command because it is incomplete.
- Outgoing traffic from 10.10.100/24 is allowed for all TCP port 80 destinations.
Explanation:Outgoing traffic from 10.10.100/24 is allowed to all destinations listening on TCP port 80 (i.e. www).
21. What changes the CLI message after entering the ip access-list extended AAAFILTER command in global configuration mode?
- R1 (config-si) #
- R1 (config line) #
- R1 (Router Configuration)#
- R1 (config-std-nacl)#
Explanation:After entering the command, enter the extended ACL configuration mode named R1 (config-ext-nacl).